Total
8760 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-47723 | 1 Stvs | 1 Provision | 2026-02-17 | N/A | 8.8 HIGH |
|
STVS ProVision 5.9.10 contains a cross-site request forgery vulnerability that allows attackers to perform actions with administrative privileges by exploiting unvalidated HTTP requests. Attackers can visit malicious web sites to trigger the forge request, allowing them to create new admin users.
|
|||||
| CVE-2020-37007 | 1 Salihciftci | 1 Liman | 2026-02-17 | N/A | 5.3 MEDIUM |
|
Liman 0.7 contains a cross-site request forgery vulnerability that allows attackers to manipulate user account settings without proper request validation. Attackers can craft malicious HTML forms to change user passwords or modify account information by tricking logged-in users into submitting unauthorized requests.
|
|||||
| CVE-2022-0088 | 1 Yourls | 1 Yourls | 2026-02-16 | 4.3 MEDIUM | 7.4 HIGH |
|
Cross-Site Request Forgery (CSRF) in GitHub repository yourls/yourls prior to 1.8.3.
|
|||||
| CVE-2025-69634 | 2026-02-14 | N/A | 9.0 CRITICAL | ||
|
Cross Site Request Forgery vulnerability in Dolibarr ERP & CRM v.22.0.9 allows a remote attacker to escalate privileges via the notes field in perms.php NOTE: this is disputed by a third party who indicates that exploitation can only occur if an unprivileged user knows the token of an admin user.
|
|||||
| CVE-2023-1346 | 1 Rapidload | 1 Rapidload Power-up For Autoptimize | 2026-02-13 | N/A | 4.3 MEDIUM |
|
The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation on the clear_page_cache function. This makes it possible for unauthenticated attackers to clear the plugin's cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2026-24885 | 1 Kanboard | 1 Kanboard | 2026-02-13 | N/A | 5.7 MEDIUM |
|
Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a Cross-Site Request Forgery (CSRF) vulnerability exists in the ProjectPermissionController within the Kanboard application. The application fails to strictly enforce the application/json Content-Type for the changeUserRole action. Although the request body is JSON, the server accepts text/plain, allowing an attacker to craft a malicious form using the text/plain attribute. Which allows unauthorized modificat ...
Show More |
|||||
| CVE-2020-37054 | 1 Naviwebs | 1 Navigate Cms | 2026-02-13 | N/A | 4.3 MEDIUM |
|
Navigate CMS 2.8.7 contains a cross-site request forgery vulnerability that allows attackers to upload malicious extensions through a crafted HTML page. Attackers can trick authenticated administrators into executing arbitrary file uploads by leveraging the extension upload functionality without additional validation.
|
|||||
| CVE-2026-2317 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-02-13 | N/A | 6.5 MEDIUM |
|
Inappropriate implementation in Animation in Google Chrome prior to 145.0.7632.45 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
|
|||||
| CVE-2025-64271 | 1 Hasthemes | 1 Wp Plugin Manager | 2026-02-13 | N/A | 6.5 MEDIUM |
|
Cross-Site Request Forgery (CSRF) vulnerability in HasThemes WP Plugin Manager wp-plugin-manager allows Cross Site Request Forgery.This issue affects WP Plugin Manager: from n/a through <= 1.4.7.
|
|||||
| CVE-2019-25313 | 2026-02-12 | N/A | 4.0 MEDIUM | ||
|
FlexNet Publisher 11.12.1 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. Attackers can craft a malicious HTML form to trick authenticated users into submitting a request that creates a new local admin account with a predefined password.
|
|||||
| CVE-2026-1215 | 2026-02-11 | N/A | 4.3 MEDIUM | ||
|
The MMA Call Tracking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.15. This is due to missing nonce validation when saving plugin configuration on the `mma_call_tracking_menu` admin page. This makes it possible for unauthenticated attackers to modify call tracking configuration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-59891 | 1 Flexense | 2 Diskpulse, Syncbreeze | 2026-02-10 | N/A | 8.0 HIGH |
|
Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of proper CSRF token implementation. Among other things, it is possible, using a POST request to change a user's password or create users via '/setup_login?sid=', affecting the 'username', 'password', and 'c ...
Show More |
|||||
| CVE-2025-59892 | 1 Flexense | 2 Diskpulse, Syncbreeze | 2026-02-10 | N/A | 8.0 HIGH |
|
Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of proper CSRF token implementation. Among other things, it is possible, using a POST request to delete commands individually via '/delete_command?sid=', using the 'cid' parameter.
|
|||||
| CVE-2025-59893 | 1 Flexense | 2 Diskpulse, Syncbreeze | 2026-02-10 | N/A | 8.0 HIGH |
|
Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of proper CSRF token implementation. Among other things, it is possible, using a POST request to rename commands via '/rename_command?sid=', affecting the 'command_name' parameter.
|
|||||
| CVE-2025-59894 | 1 Flexense | 2 Diskpulse, Syncbreeze | 2026-02-10 | N/A | 8.0 HIGH |
|
Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of proper CSRF token implementation. Among other things, it is possible, using a POST request to delete all commands via '/delete_all_commands?sid='.
|
|||||
| CVE-2026-25151 | 1 Qwik | 1 Qwik | 2026-02-10 | N/A | 5.9 MEDIUM |
|
Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers. This issue has been patched in version 1.19.0.
|
|||||
| CVE-2026-25155 | 1 Qwik | 1 Qwik | 2026-02-10 | N/A | 5.9 MEDIUM |
|
Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0.
|
|||||
| CVE-2026-24666 | 1 Gunet | 1 Open Eclass Platform | 2026-02-10 | N/A | 6.5 MEDIUM |
|
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Cross-Site Request Forgery (CSRF) vulnerability in multiple teacher-restricted endpoints allows attackers to induce authenticated teachers to perform unintended actions, such as modifying assignment grades, via crafted requests. This issue has been patched in version 4.2.
|
|||||
| CVE-2025-61547 | 1 Edubusinesssolutions | 1 Print Shop Pro Webdesk | 2026-02-10 | N/A | 6.8 MEDIUM |
|
Cross-Site Request Forgery (CSRF) is present on all functions in edu Business Solutions Print Shop Pro WebDesk version 18.34 (fixed in 19.76). The application does not implement proper CSRF tokens or other other protective measures, allowing a remote attacker to trick authenticated users into unknowingly executing unintended actions within their session. This can lead to unauthorized data modification such as credential updates.
|
|||||
| CVE-2026-1745 | 1 Oretnom23 | 1 Medical Certificate Generator App | 2026-02-10 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was determined in SourceCodester Medical Certificate Generator App 1.0. This affects an unknown part. This manipulation causes cross-site request forgery. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
|
|||||
| CVE-2026-24434 | 1 Tenda | 2 Ac7, Ac7 Firmware | 2026-02-10 | N/A | 6.5 MEDIUM |
|
Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior does not implement CSRF protections for administrative functions in the web management interface. The interface does not enforce anti-CSRF tokens or robust origin validation, which can allow an attacker to induce a logged-in administrator to perform unintended state-changing requests and modify router settings.
|
|||||
| CVE-2020-37106 | 2026-02-09 | N/A | 5.3 MEDIUM | ||
|
Business Live Chat Software 1.0 contains a cross-site request forgery vulnerability that allows attackers to change user account roles without authentication. Attackers can craft a malicious HTML form to modify user privileges by submitting a POST request to the user creation endpoint with administrative access parameters.
|
|||||
| CVE-2026-1082 | 2026-02-09 | N/A | 4.3 MEDIUM | ||
|
The TITLE ANIMATOR plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings page form handler in `inc/settings-page.php`. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-66595 | 2026-02-09 | N/A | N/A | ||
|
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation.
This product is
vulnerable to Cross-Site Request Forgery (CSRF). When a user accesses a link
crafted by an attacker, the user’s account could be compromised.
The
affected products and versions are as follows: FAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to
R10.04
|
|||||
| CVE-2026-24962 | 2026-02-09 | N/A | 4.3 MEDIUM | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in Brainstorm Force Sigmize sigmize allows Cross Site Request Forgery.This issue affects Sigmize: from n/a through <= 0.0.9.
|
|||||
| CVE-2026-1153 | 1 Technical-laohu | 1 Mpay | 2026-02-06 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was detected in technical-laohu mpay up to 1.2.4. This affects an unknown function. Performing a manipulation results in cross-site request forgery. Remote exploitation of the attack is possible. The exploit is now public and may be used.
|
|||||
| CVE-2025-14472 | 1 Acquia | 1 Acquia Content Hub | 2026-02-06 | N/A | 8.1 HIGH |
|
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Acquia Content Hub allows Cross Site Request Forgery.This issue affects Acquia Content Hub: from 0.0.0 before 3.6.4, from 3.7.0 before 3.7.3.
|
|||||
| CVE-2026-1785 | 2026-02-06 | N/A | 4.3 MEDIUM | ||
|
The Code Snippets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.9.4. This is due to missing nonce validation on the cloud snippet download and update actions in the Cloud_Search_List_Table class. This makes it possible for unauthenticated attackers to force logged-in administrators to download or update cloud snippets without their consent via a crafted request, granted they can trick an administrator into visiting a malicious page.
|
|||||
| CVE-2025-27454 | 1 Endress | 2 Meac300-fnade4, Meac300-fnade4 Firmware | 2026-02-06 | N/A | 4.3 MEDIUM |
|
The application is vulnerable to cross-site request forgery. An attacker can trick a valid, logged in user into submitting a web request that they did not intend. The request uses the victim's browser's saved authorization to execute the request.
|
|||||
| CVE-2026-22030 | 1 Shopify | 2 React-router, Remix-run\/react | 2026-02-05 | N/A | 6.5 MEDIUM |
|
React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes. There is no impact if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been p ...
Show More |
|||||
| CVE-2020-37145 | 2026-02-05 | N/A | 4.3 MEDIUM | ||
|
HRSALE 1.1.8 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized administrative users through the employee registration form. Attackers can craft a malicious HTML page with hidden form fields to trick authenticated administrators into creating new user accounts with elevated privileges.
|
|||||
| CVE-2020-37118 | 2026-02-05 | N/A | 3.5 LOW | ||
|
P5 FNIP-8x16A FNIP-4xSH 1.0.20 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user interaction. Attackers can craft malicious web pages to add new admin users, change passwords, and modify system configurations by tricking authenticated users into loading a specially crafted page.
|
|||||
| CVE-2020-37144 | 2026-02-05 | N/A | 5.3 MEDIUM | ||
|
Exagate SYSGuard 6001 contains a cross-site request forgery vulnerability that allows attackers to create unauthorized admin accounts through a crafted HTML form. Attackers can trick users into submitting a malicious form to /kulyon.php that adds a new user with administrative privileges without the victim's consent.
|
|||||
| CVE-2026-24345 | 1 Nimbletech | 2 Ezcast Pro Dongle Ii, Ezcast Pro Dongle Ii Firmware | 2026-02-05 | N/A | 8.8 HIGH |
|
Cross-Site Request Forgery in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to bypass authorization checks and gain full access to the admin UI
|
|||||
| CVE-2024-40685 | 2026-02-05 | N/A | 4.3 MEDIUM | ||
|
IBM Operations Analytics – Log Analysis versions 1.3.5.0 through 1.3.8.3 and IBM SmartCloud Analytics – Log Analysis are vulnerable to a cross-site request forgery (CSRF) vulnerability that could allow an attacker to trick a trusted user into performing unauthorized actions.
|
|||||
| CVE-2020-37026 | 2026-02-04 | N/A | 5.3 MEDIUM | ||
|
Sickbeard alpha contains a cross-site request forgery vulnerability that allows attackers to disable authentication by submitting crafted configuration parameters. Attackers can trick users into submitting a malicious form that clears web username and password, effectively removing authentication protection.
|
|||||
| CVE-2025-15550 | 2026-02-04 | N/A | 5.3 MEDIUM | ||
|
birkir prime <= 0.4.0.beta.0 contains a cross-site request forgery vulnerability in its GraphQL endpoint that allows attackers to exploit GET-based query requests. Attackers can craft malicious GET requests to trigger unauthorized actions against privileged users by manipulating GraphQL query parameters.
|
|||||
| CVE-2026-1835 | 2026-02-04 | 5.0 MEDIUM | 4.3 MEDIUM | ||
|
A vulnerability was identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. This affects an unknown part. The manipulation leads to cross-site request forgery. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified.
|
|||||
| CVE-2020-37091 | 2026-02-04 | N/A | 5.3 MEDIUM | ||
|
Maian Support Helpdesk 4.3 contains a cross-site request forgery vulnerability that allows attackers to create administrative accounts without authentication. Attackers can craft malicious HTML forms to add admin users and upload PHP files with unrestricted file upload capabilities through the FAQ attachment system.
|
|||||
| CVE-2026-0818 | 1 Mozilla | 1 Thunderbird | 2026-02-04 | N/A | 4.3 MEDIUM |
|
When a user explicitly requested Thunderbird to decrypt an inline OpenPGP message that was embedded in a text section of an email that was formatted and styled with HTML and CSS, then the decrypted contents were rendered in a context in which the CSS styles from the outer messages were active. If the user had additionally allowed loading of the remote content referenced by the outer email message, and the email was crafted by the sender using a combination of CSS rules and fonts and animations, ...
Show More |
|||||